The reason you are not finding any answers is that Windows with npcap is not suitable for professional use to collect 802.11/monitor mode captures.
Can you get a monitor mode frame into your Windows system with this? Maybe, with the correct adapter (https://secwiki.org/w/Npcap/WiFi_adap...). But it is not good enough for real usage - a host of issues arise like you can't change channels, extra data is added to each frame, can't decrypt what is captured, radiotap contains very little important information, etc. There was a sharkfest talk on this a few years back - probably available on youtube.
If you MUST use Windows, then use a third party collection tool like CommVIew for WiFi or Omnipeek, then you can still analyze in Wireshark if you want. CommView supports recent M.2 Intel wireless chips as well as recent WiFi6E USB adapters, too. It has its own issues, but the goal is to get something that is good enough to get the job done as perfection in this space is difficult to come by. Linux and (at least older) MacBooks make better capture systems for 802.11/monitor mode.
Raspberry PIs are reasonable remote capture devices but note at least up to RPI4, the broadcom wireless chip requires a non-typical kernel to enable monitor mode. Its not a great wireless chip, either, so its more of the RPI as a carrier platform - get a WLANPI (https://www.wlanpi.com/) where they marry the board to a better wifi chipset for monitor mode collection. If you want to try an RPI with the native chipset, I found Kali distro to come with the correct FW and kernel driver to enable monitor mode. Things may have gotten better with RPI5, but since moving to the WLANPI, no need to concern myself with the state since that solution is tailor mode for this work and does a nice enough job.
If you do find something and think it is good, let us know.
Many thanks for that very useful information, will look at it in detail.
Perhaps I should be more specific about what I'm trying to do. My router, a Zyxel 3301-TO, is reporting that the Ring Chime Pro on my WLAN is sending Ping Of Death Attacks, (around 20 at a time), every 6 hours.
Ring say it can't be happening, my router says it is. What I want to do is monitor that specific device at the time it's happening to see what's actually going on and to be able to send the results to both Ring and to my ISP who are responsible for the router, (long story but basically Zyxel themselves don't offer personal support for this router).
I have 2 computers I could use Wireshark on, my Apple MAC Studio which does support Monitor Mode but with Sequoia 15.3.1 Wireshark ...
You typically won't see IP addresses in a monitor mode capture since WPA2 (and family) are likely in use so the network header and data are encrypted. You would have to prepare for decryption by collecting the eapol frames and then go from there. Plenty of links on the Internet on how to do this.
This is FromDS traffic (DS is access point) and you can see the transmitter address (TA) is the AP; you can confirm as the TA matches the BSSID. I suspect this is group traffic sent by this wireless client and the AP has multicast-to-unicast conversion turned on, so the group traffic is simply returned. It would be useful to see the ToDS frame for this and if you decrypt, the Layer3 header should still be intact to see the destination IP address.
Those are a lot of full size frames so decrypting to see ...
Thanks to all for the excellent information. Much to digest and work with. This is proving to be an interesting exercise in that, following Ring's request, I moved the Chime Pro to a 'guest' network on its own and now not only is the router reporting the Chime Pro sending Pings Of Death, three other Ring devices on the original network are doing the same thing - which they weren't before.
I suspect it has something to do with multicast traffic somehow.
Asked: 2025-02-25 13:15:53 +0000
Seen: 219 times
Last updated: Mar 11
Nobody? Surely someone is using one in their windows laptop?
Since npcap has to talk to it, you might ask in their github issues,
It would not be internal but windows it is often easiest with a Raspberry Pi velcro'ed to the back and accessed over USB with sshdump or wifidump (Wireshark man pages)
I think the Pi's are limited to WiFi 5, (IEEE 802.11.ac).